ICO (UK) - Global One 2015: Difference between revisions
From GDPRhub
Mariam-hwth (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...") |
Mariam-hwth (talk | contribs) No edit summary |
||
| Line 50: | Line 50: | ||
}} | }} | ||
The UK DPA (ICO) imposed a fine of around €11600 on | The UK DPA (ICO) imposed a fine of around €11600 on Global One 2015. This charity infringed regulations 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing an address for individuals to refuse such marketing. | ||
== English Summary == | == English Summary == | ||
Revision as of 21:01, 17 June 2021
| ICO (UK) - Global One 2015 | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 14.06.2021 |
| Published: | 15.06.2021 |
| Fine: | 10000 GBP |
| Parties: | Global One 2015 |
| National Case Number/Name: | Global One 2015 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Information Commissioner's Office (in EN) |
| Initial Contributor: | n/a |
The UK DPA (ICO) imposed a fine of around €11600 on Global One 2015. This charity infringed regulations 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing an address for individuals to refuse such marketing.
English Summary
Facts
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals having received unsolicited text messages from Global One. These complaints occured between the 30 April 2020 and 22 May 2020 where 573,000 texts were sent overall. The texts did not offer individuals the opportunity to opt-out.
Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gian donations. Global One says it assumed that this would be a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list they used was compliant with relevant laws.
However, there was no evidence of consent being provided. Global One claimed to have undertaken due diligence, whilst the party it contracted with (X) claimed that it only advised Global One onto various other agencies.
Dispute
Does sending marketing text to individuals where consent was gathered by a third party breach regulations 22 and 23 PECR?
Holding
The Information Commissioner's Office hld that Global One infringed Regulations 22 and 23 PECR.
Global One relied on consent obtained by another organisation to send these text messages. However, the ICO's view is that organisations must gather better consent. Indirect consent collected by a third party is only authorised where it is clear and specific enough.
As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breach regulation 22 PECR.
The ICO also held that Global One breached Regulation 23(b) PECR as it did not provide a valid address to recipients of marketing for them to send a request to refuse marketing. There was no procedure in place for handling such requests from individuals.
The ICO therefore decided to imposed a fine of around €11600 on Global One from breaching regulations 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
Information Commissioner's Office
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENAL TY NOTICE
To: Global One 2015
Of: 4 Gateway Mews, Bounds Green, London, Nll 2UT
1. The InformationCommissioner ("Commissioner") has decided to issue
Global One 2015 ("Global One") with a monetary penalty under section
SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation
to a serious contraventiof Regulation 22 of the Privacy and
Electronic Communications(EC Directive) Regulations 2003 ("PECR").
2. This notice explainse Commissioner's decision.
Legal framework
3. Global One, whose registered office is given above (Companies House
Registration Number: 07517992) is the organisatistated in this
notice to have instigated the transmission of unsolicited
communications by means of electronic mail to individual subscribers
for the purposes of direct marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECRstates:
1 •
ICO.
Information Commissioner's Office
"(l) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual
subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit,nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notifiedthe sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where-
(a) that person has obtained the contact details of the recipient
of that electronic mail in the course of the sale or
negotiations for the sale of a product or service to that
recipient;
(b) the direct marketing is in respect of that person's similar
products and services only; and
(c) the recipient has been given a simple means of refusing
(free of charge except for the costs of the transmission of
the refusal) the use of his contact details for the purposes
of such direct marketing, at the time that the details were
initially collected, and, where he did not initially refuse the
use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contraventionof
paragraph (2)."
2 •
ICO.
Information Commissioner's Office
5. Regulation 23 of PECRstates that "A person shall neither transmitnor
instigate the transmission of, a communicationfor the purposes of
direct marketing by means of electronic mail -
(a) where the identity of the person on whose behalf the
communication has been sent has been disguised or
concealed;
(b) where a valid address to which the recipient of the
communication may send a request that such
communications cease has not been provided;
(c) where that electronic mail would contravene regulatio7 of
the Electronic Commerce (EC Directive) Regulations 2002;
or
(d) where that electronic mail encourages recipients to visit
websites which contravene that regulation."
6. Section 122(5) of the DPA 2018 defines "direct marketing" as "the
communication (by whatever means) of any advertising material which
is directedo particular individuals". This definition also applies for the
purposes of PECR.
7. Consent is defined in Article 4(11) the General Data Protection
Regulation 2016/679 as "any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmatiaction, signifies
agreement to the processing of personal data relating to him or her".
8. "Individual"is defined in regulation 2(1) of PECRas "a living individual
and includes an unincorporated body of such individuals".
3 •
ICO.
Information Commissioner's Office
9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services".
10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient's terminal equipment until it is collected by the recipient and
includes messages sent using a short message service".
11. Section SSA of the DPA (as amended by the Privacy and Electronic
Communications (EC Directive)(Amendment) Regulations 2011 and the
Privacy and Electronic Communications (Amendment) Regulations
2015) states:
"(l) The Commissioner may serve a person with a monetary penalty if
the Commissioner is satisfied that -
(a) there has been a serious contraventionof the requirements
of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contraventiwas deliberate.
(3) This subsection applies if the person -
(a) knew or ought to have known that there was a risk that
the contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention."
12. The Commissioner has issued statutory guidance under section SSC (1)
of the DPA about the issuing of monetary penalties that has been
4 •
ICO.
Information Commissioner's Office
published on the ICO's website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
13. PECRwere enacted to protect the individual's fundamentaright to
privacy in the electronic communicatiosector. PECRwere
subsequently amended and strengthened. The Commissioner will
interpret PECRin a way which is consistent with the Regulations'
overall aim of ensuring high levels of protection for individuals' privacy
rights.
14. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introductioof the Data Protection Act 2018 (see
paragraph 58(1) of Part 9, Schedule 20 of that Act).
Background to the case
15. Phone users can report the receipt of unsolicited marketing text
messages to the GSMA's Spam Reporting Service by forwarding the
message to 7726 (spelling out "SPAM"). The GSMA is an organisation
that represents the interests of mobile operators worldwidThe
Commissioner is provided with access to the data on complaints made
to the 7726 service and this data is incorporated into a Monthly Threat
Assessment (MTA) used to ascertain organisations in breach of PECR.
16. Global One operates as a charity involved in issues such as improving
health, sanitation and agriculture. Their work covers a number of
internationalcountries, including the United Kingdom. Global One is
registered with the Charity Commission, Companies House and the
ICO.
5 •
ICO.
Information Commissioner's Office
17. Global One came to the attention of the Commissioner after numerous
complaints were received via the 7726 complaints tool about
unsolicited text messages. Between 30 April 2020 and 22 May 2020
539 complaints had been recorded on the 7726 system and 9 on the
ICO's online recording tool. These text messages contained, or
contained slight variations of, the following text:
"Coronavirus Emergency Pakistan, Syria & Bangladesh. Donate Food
& Hygiene Kits. Call (free): 03000113333 Online: globalone.org.uk
Watch us live on SKY 752."
18. It was noted that these texts did not offer individuals an ability to 'opt
out' of future unsolicited text messages.
19. An initial investigatletter was sent to Global One on 3 June 2020,
highlighting the Commissioner's concerns with its PECRcompliance and
requestinginformation relating to the volumes of texts sent, the source
of data used to send said texts, details of any due diligence
undertaken, together with evidence of consent relied upon for the
messages sent to individuals identified within complaintAn appendix
detailinghe complaints received was also attached.
20. Global One provided a response on 22 June 2020, stating that on 20
March 2020 it had entered into a "revenue raising and sharing
agreement" ("the agreement") with (''.")
under which • would provide a marketing strategy in relation to a
number of key initiativesGlobal One went on to explain that under the
agreement they "will have no right nor will seek to exercise any
direction, control or supervision over ; and that
has the sole right to control and direct the means, manner and method
by which the services required by the Agreement would be performed".
6 •
ICO.
Information Commissioner's Office
21. A copy of the agreement later provided by Global One makes no
mention of SMS marketing, however the agreement is summarised as
follows:
"The charity intends to procure as
consultant/advisers to develop and execute a revenue sharing
agreement, which will raise funds from public donations and allow the
charity to enhance and apply for more institutionafunding. The charity
wishes to diversify its fundraising income streams".
22. The letter went on to state that on 23 April 202? informed Global
One that it would be undertaking an SMS campaign to maximise
donations, which Global One says it assumed would be based on the
use of third-partymarketing lists belonging to •.
23. Global One advised that between April 2020 and May 2020, 573,000
SMS marketing messages were sent on its behalf. During this period,
• managed the SMS marketing campaign, and Global One say it only
became aware on 1 June 2020 that- had entered into a verbal
contract with a third party data supplier who undertook the sending of
the SMS using a marketing list belonging to that supplier.
24. In response to the Commissioner's request for evidence of consent to
send SMS messages to those who had been identified on the list of
complaints, Global One said it had not been provided this information
from ? and would need to approach. to obtain this. In a further
response dated 23 July 2020 Global One provided the following
information:
have confirmed that they commissioned the [third party
provider]to deliver the text messaging campaign.
7 •
ICO.
Information Commissioner's Office
The [third party provider]have confirmed in writing that the lists they
use are fully compliant data, please see the attached letter and
accompanying spreadsheet with their comments."
The attached letter indicated that the data is obtained from multiple
sources including "government records, licensing boards, directories,
telephone searches, memberships, attendee registers, website
registrationcounty courthouse records, credit reference agency data,
Secretary of State data, business magazines and newspaper
subscriptions". The spreadsheet of complaints provided by the
Commissioner had been amended to add a new column titled "Consent"
and the words "opt in for third party marketing" next to each
complainant.
25. On 21 August 2020 the Commissioner requested that Global One
provide evidence of the consent that had been obtained by the third
party data provider to market the complainants. In response, Global
One explained that it did not have access to this information and the
third party provider was reluctant to supply it. As such, no evidence of
consent has been provided.
26. The Commissioner went on to request copies of correspondence
between Global One, • and the third party data provider relating to
promotional or marketing activities. On 27 August 2020 Global One
replied, statinghat they had been unable to locate any such written
communications regarding the SMS marketing campaign which was
carried out on their behalf. The reason given was that all such
communications were conducted by telephone.
27. Enquiries raised by the Commissioner directly with •elicited the
following response:
8 •
ICO.
Information Commissioner's Office
" is aware of the current investigation being conducted by
the ICO in relation to one of our clients, Global One 2015. Other than
providing strategic recommendationson how to deliver charitable
appeal campaigns, we have done nothing more than advice/refer a
client onto various other agencies/companieto support them in being
able to reach a wider audience. We in this situation are not responsible
for due diligence or any contractual obligations for any work Global One
decide to undertake with any third party."
In subsequent Representations to the Notice of Intent however, Global
One evidenced an email from in which the contrary was
stated: "we undertook our responsibility to carry out due diligence on
the provider ". This statement was made in response to
enquiries made of by Global One dated 1 June 2020, and
which post-dated the SMS campaign.
28. The Commissioner has made the above findings of fact on the
balance of probabilities.
29. The Commissioner has considered whether those facts constitute
a contraventionof regulation 22 of PECRby Global One and, if so,
whether the conditions of section SSA DPA are satisfied.
The contravention
30. The Commissioner finds that Global One contravened regulations 22
and 23 of PECR.
31. The Commissioner finds that the contraventiowas as follows:
9 •
ICO.
Information Commissioner's Office
32. Between 24 April 2020 and 23 May 2020 Global One instigated the
transmission of 573,000 unsolicited direct marketing texts contrary to
Regulations 22 & 23 of PECR. This resulted in a total of 539 complaints
being received via the 7726 service and 9 via the Commissioner's
online reporting tool.
33. Global One, as the instigator of the direct marketing, is required to
ensure that it is acting in compliance with the requirementof
regulation 22 of PECR,and to ensure that valid consent to send those
messages had been acquired. The only exception to this is where the
provisions of Regulation 22(3) apply, otherwise referred to as the 'soft
opt-in'. As a charitable organisation, the 'soft opt-in' would not be
applicablein this instance.
34. Global One relied on consent obtained by another organisation for its
own purposes, i.e.'indirect consent'.The Commissioner's direct
marketing guidance says "organisations need to be aware that indirect
consent will not be enough for texts, emails or automated calls. This is
because the rules on electronic marketing are stricter, to reflect the
more intrusive nature of electronic messages."
35. It goes on to say that indirect consent can be valid but only if it is clear
and specific enough. Moreover, "the customer must have anticipated
that their details would be passed to the organisation in question, and
that they were consenting to messages from that organisation. This will
depend on what exactly they were told when consent was obtained".
36. The data lists utilised to transmit the SMS had been compiled from a
diverse listf sources. Whilst the third party data provider stated that
each complainant was "opted-in for third party marketing" Global One
has not provided any evidence of this to the Commissioner and appears
to have been reliant on the? 's verbal assurances that this was the
10 •
ICO.
Information Commissioner's Office
case. In representations to the Commissioner, Global One
demonstrated that some due diligence enquiries had been made of.
- in early June 2020, however these post-dated the
contravention and were insufficient to establish the existence of valid
consent to send the SMS.
37. The Commissioner is therefore satisfied from the evidence she has
seen that Global One did not have the necessary valid consent to
instigate the sending of the direct marketing messages. This
constitutes a contraventionof regulation 22 PECR.
38. Furthermore, Regulation 23(b) provides that individuals must be
provided with a valid address to which the recipient of the marketing
communication may send a request to refuse marketing. In
representations to the Commissioner, Global One stated that it had an
effective complaints process in place whereby any complaints it
received directly would be sent to in order that the data
could be supressed. was said to dear with their own
requests. The Commissioner finds it difficult to accept that
were in any position to handle direct requests, given that recipients of
SMS were unaware of .,s involvement and were not provided with
contact details. Althoughthe content of the messages identified Global
One and contained a link to their website, no address has been
provided for the third party who sent the messages. As Global One
were unaware that a third party was the sender of the messages
duringthe SMS marketing campaign, individuals informing Global One
that they objected to receiving such communications would have been
reliant upon Global One relaying these to , and then in turn
to the third party sender, and so in effect produced a convoluted,
unreliable and therefore ineffectual remedy. As such the Commissioner
considers that Global One are also in breach of Regulation 23.
11 •
ICO.
Information Commissioner's Office
39. The Commissioner has gone on to consider whether the conditions
under section SSA DPA are met.
Seriousness of the contravention
40. The Commissioner is satisfied that the contraventiidentified
above was serious. This is because between 24 April 2020 and 23 May
2020 Global One instigated a total of 573,000 unsolicited direct
marketing messages, resulting in total of 548 complaints.
41. In representationsto the Notice of Intent, Global One stated that it had
been the subject of a social media campaign of harassment, and SMS
recipients encouraged to make complaints against Global One. Details
provided to the Commissioner by way of evidence demonstrated that
any such campaign (in relation to which the Commissioner makes no
finding) post-dated the contraventioperiod and so the Commissioner
finds no good reasonto disregard the complaints as disingenuous.
42. Global One has failed to provide evidence of valid consent for any of
the 573,000 unsolicited direct marketing messages it instigated.
43. Furthermore, the messages did not contain adequate instruction on
how individualsmay opt-out of receiving further marketing.
44. It is apparent that Global One adopted a targeted strategy in order
both to raise their profile and increase their revenue stream during the
Covid-19 pandemic.
12 •
ICO.
Information Commissioner's Office
45. The Commissioner is therefore satisfied that condition (a) from
section 55A(l)DPA is met.
Deliberate or negligent contraventions
46. The Commissioner has considered whether the contravention identified
above was deliberate.
47. The Commissioner considers that Global One did not deliberately set
out to contravene PECRin this instance.
48. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises two
elements:
49. Firstly, she has considered whether Global One knew or ought
reasonably to have known that there was a risk that these
contraventionswould occur. She is satisfied that this condition is met,
not least since the issue of unsolicited text messages have been widely
publicised by the media as being a problem.
50. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligations under PECR.
This guidance gives clear advice regarding the requirements of consent
for direct marketing and explains the circumstances under which
organisations are able to carry out marketing over the phone, by text,
by email, by post, or by fax. In particular it states that organisations
can generally only send,r instigate, marketing messages to
individuals if that person has specifically consented to receiving them.
The guidance is also clear about the significant risks of relying on
indirect consent, as Global One did in this instance.
13 •
ICO.
Information Commissioner's Office
51. In 2018 the charity sector came under much scrutiny following
investigations and penalties in respect of contraventiof PECR.
These investigations were well publicised at the time, receiving much
media attention and further engagement with the Charity Commission
and the ICO, including conferences to the third sector to highlight the
issues and promote compliance. The introduction of the Fund Raising
Preference Service in 2016 also provides advice and support to
charities with the aim of making it easier for them to understand the
standards expected when fundraising.
52. It is therefore reasonable to suppose that Global One should have been
aware of its responsibilities in this area.
53. Secondly, the Commissioner has gone on to consider whether Global
One failed to take reasonable steps to prevent the contraventions.
Again, she is satisfied that this condition is met.
54. During the course of the Commissioner's investigationresponses
provided by Global One indicated that they were aware that proper due
diligence should have been undertaken prior to entering into the
agreement with ? however due to time constraints no due diligence
was conducted, stating:"under normal circumstances we would have
had further meetings to fully review contractual terms and conduct
proper due diligence with regards to databases and compliance,
regrettably this was not the case". Global One instead relied on verbal
assurances provided by ?
55. Reasonable steps which the Commissioner might expect in these
circumstances could have included ensuring a comprehensive contract
was in place with • relating to the marketing campaign and the
provision of the data to be relied upon, to ensure its reliability and
14 •
ICO.
Information Commissioner's Office
validity. Global One failed to provide any evidence of communications
between itself and? regarding the SMS marketing campaign, other
than to say the matter was discussed and concluded in two telephone
meetings with •. Failure to formalise the obligation of due diligence
also ledto conflicting evidence during the investigation and subsequent
representations as to which party was thought to be responsible. There
was a clear lack of control over a direct marketing campaign launched
at their instruction ?o
56. Global One did later ask. for evidence of consent, but only after
commencement of the campaign, and after it had received complaints
directly in early May 2020. At that point Global One took no action to
pause or suspend the campaign whilst enquiries were made. Even then
Global One continued to rely upon .,s assurances without any actual
evidence of consent. Whilst Global One did attempt to undertake some
due diligence in early June 2020, it was only after it became aware that
the leads were supplied by a third party, and at the end of the
campaign in question. It would have been reasonable for Global One
to carry out its own checks as to how consent was being obtained prior
to instigating the SMS campaign, notwithstanding any assurances by
•· In short, simple reliance on assurances of indirect consent alone
without undertaking proper due diligence is not acceptable.
57. In the circumstances, the Commissioner is satisfied that Global One
failed to take reasonable steps to prevent the contraventions.
58. The Commissioner is therefore satisfied that condition (b) from section
SSA (1) DPA is met.
15 •
ICO.
Information Commissioner's Office
The Commissioner's decision to impose a monetary penalty
59. The Commissioner finds that there are no aggravating features of
this case.
60. The Commissioner has taken into account the following mitigating
features of this case:
• Since the commencement of the Commissioner's investigation
Global One has ceased all direct marketing activitiesand is
undertaking a full review of its data protection compliance.
61. Forthe reasons explained above, the Commissioner is satisfied that the
conditions from section 55A(l)DPA have been met in this case. She is
also satisfiedhat the procedural rights under section 55B have been
complied with.
62. This has included the issuing of a Notice of Intent, in which the
Commissioner set out her preliminary thinking, and invited Global One
2015 to make representations in response.
63. The Commissioner has received and considered Representations in
response to the Notice of Intent dated 30 April 2021.
64. The Commissioner is accordingly entitledo issue a monetary penalty in
this case.
65. The Commissioner has considered whether, in the circumstances, she
should exercise her discretion so as to issue a monetary penalty. She
has decided that a monetary penalty is an appropriate and proportionate
16 •
ICO.
Information Commissioner's Office
response to the finding of a serious contraventof regulations 22 and
23 of PECRby Global One.
66. The Commissioner's underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The instigation or
making of unsolicited direct marketingtexts is a matter of significant
public concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. This is an opportunity
to reinforce the need for businesses to ensure that they are only texting
consumers who want to receive these messages.
67. The Commissioner has also considered the likely impact of a monetary
penalty on Global One and in doing so has reviewed financial evidence
supplied alongside its representations.
The amount of the penalty
68. Taking into account all of the above, the Commissioner has decided that
the amount of the penalty is £10,000(Ten thousand pounds).
Conclusion
69. The monetary penalty must be paid to the Commissioner's office by
BACS transfer or cheque by 15 July 2021 at the latest. The monetary
penalty is not kept by the Commissioner but will be paid into the
Consolidated Fund which is the Government's general bank account at
the Bank of England.
17 •
ICO.
Information Commissioner's Office
70. If the Commissioner receives full payment of the monetary penalty by
14 July 2021 the Commissioner will reduce the monetary penalty by
20% to £8,000 (Eight thousand pounds). However, you should be
aware that the early payment discount is not available if you decide to
exercise your right of appeal.
71. There is a right of appeal to the First-tier Tribunal (InformRights)
against:
a) the imposition of the monetary penalty
and/or;
b) the amount of the penalty specified in the monetary penalty
notice.
70. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
71. Informationabout appeals is set out in Annex 1.
72. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary penalty
must be paid has expired and all or any of the monetary penalty has
not been paid;
• all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdraand
• period for appealing against the monetary penalty and any variation of
it has expired.
18 •
ICO.
Information Commissioner's Office
73. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner
as an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
Datedthe 14th day of June 2021
Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
19 •
ICO.
Information Commissioner's Office
ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in accordance
with the law; or
b) to the extent that the notice involved an exercise of discretion by the
Commissioner, that she ought to have exercised her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as could
have been made by the Commissioner. In any other case the Tribunal will
dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
GRC & GRPTribunals
PO Box 9300
Arnhem House
31 Waterloo Way
Leicester
LEl 8DJ
a) The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.
20 •
ICO.
Information Commissioner's Office
b) If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your representative
(if any);
b) an address where documents may be sent or delivered to you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the notice
of appeal must include a request for an extension of time and the
reason why the notice of appeal was not provided in time.
5. Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.
1976 (L.20)).
21
